Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial of service (DDoS) attacks present a significant security threat to corporations and the threat appears to be growing. In one study, covering a three-week period in 2001, investigators observed more than 12,000 attacks against more than 5000 distinct targets, ranging from well-known ecommerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. DDoS attacks make computer systems inaccessible by flooding servers, networks, or even end user systems with useless traffic so that legitimate users can no longer gain access to those resources. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets. In recent years, the attack methods and tools have become more sophisticated, effective, and more difficult to trace to the real attackers, while defense technologies have been unable to withstand large-scale attacks. A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that service. When this attack comes from a single host or network node, then it is simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target. A DDoS attack attempts to consume the target's resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed. Broadly speaking, the resource consumed is either an internal host resource on the target system or data transmission capacity in the local network to which the target is attacked.
A simple example of an internal resource attack is the SYN flood attack. Figure 1a shows the steps involved: 1. The attacker takes control of multiple hosts over the Internet, instructing them to contact the target Web server. 2. The slave hosts begin sending TCP/IP SYN (synchronize/ initialization) packets, with erroneous return IP address information, to the target. Attacker tries to send a SYN/ACK packet to the spoofed address. If the spoofed system exists, it would normally respond with an RST packet to the victim because it did not initiate the connection. The attackers must choose a system that is unreachable. Therefore, victim will send a SYN/ACK packet and never receive an RST packet back. This potential connection is now in the SYN_RECV state and placed into a connection queue. This system is now committed to setting up a connection, and this potential connection will only be flushed from the queue after the connection-establishment timer expires. The connection timer varies from system to system but could be as short as 75 seconds or as long as 23 minutes for some broken IP implementations. Because the connection queue is normally very small, attackers may only have to send a few SYN packets every 10 seconds to completely disable a specific port. The system under attack will never be able to clear the backlog queue before receiving new SYN requests. 3. Each SYN packet is a request to open a TCP connection. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet, trying to establish a TCP connection with a TCP entity at a spurious IP address. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.
Figure 1 The TCP state data structure is a popular internal resource target but by no means the only one. Gives the following examples: 1. In many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. 2. An intruder may also attempt to consume disk space in other ways, including a. generating excessive numbers of mail messages b. intentionally generating errors that must be logged c. placing files in anonymous ftp areas or network-shared areas
Figure 1b illustrates an example of an attack that consumes data transmission resources. The following steps are involved: 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target's spoofed IP address to a group of hosts that act as reflectors, as described subsequently. The Internet Control Message Protocol (ICMP) is an IP-level protocol for the exchange of control packets between a router and a host or between hosts. The ECHO packet requires the recipient to respond with an echo reply to check that communication is possible between entities. 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target's router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic. Another way to classify DDoS attacks is as either direct or reflector DDoS attacks. In a direct DDoS attack Figure 2a, the attacker is able to implant zombie software on a number of sites distributed throughout the Internet. Often, the DDoS attack involves two levels of zombie machines: master zombies and slave zombies. The hosts of both machines have been infected with malicious code. The attacker coordinates and triggers the master zombies, which in turn coordinate and trigger the slave zombies. The use of two levels of zombies makes it more difficult to trace the attack back to its source and provides for a more resilient network of attackers. A reflector DDoS attack adds another layer of machines Figure 2b In this type of attack, the slave zombies construct packets requiring a response that contain the target's IP address as the source IP address in the packet's IP header. These packets are sent to uninfected machines known as reflectors. The uninfected machines respond with packets directed at the target machine. A reflector DDoS attack can easily involve more machines and more traffic than a direct DDoS attack and hence be more damaging. Further, tracing back the attack or filtering out the attack packets is more difficult because the attack comes from widely dispersed uninfected machines.
Figure 2 Ping of Death More Details. Ping of death (ping -l 65510 192.168.2.3) on a Windows system (where 192.168.2.3 is the IP address of the intended victim). The "Ping o' Death," takes advantage of the ability of the Internet Protocol (the protocol on top of which all other Internet protocols are built) to fragment packets. This works as follows: The specification for the Internet Protocol (IP) says that a packet may be up to 65,535 (2^16-1) bytes in length, including the packet header. But the specifications for most network technologies in use today do not allow packets that big. For example, the maximum Ethernet packet size is 1,500 bytes. To allow large packets to be sent, IP allows the sender to break a large packet up into several smaller packets. Each fragment packet contains an offset value that says where in the larger packet this fragment belongs, the first fragment will have an offset of zero; the second fragment will have an offset equal to the length of the
first fragment, and so on. Note that this makes it possible to combine a valid offset with a suitable fragment size such that (offset + size) is greater than 65,535, the maximum size of a packet. The problem arises in the way packet fragmentation is implemented by most systems. Typically, they do not attempt to process a packet until all the fragments have been received and an attempt has been made to reassemble them into one big packet. This opens these systems to the possibility for overflow of 16-bit internal variables, resulting in system crashes, protocol hangs, and other problems. This problem was first discovered in the context of sending ICMP ECHO REQUEST packets, commonly called "ping" packets after the application program used to send them. Most implementations of "ping" will not allow improperly-sized packets to be sent, although there are several exceptions to this (and many systems can be modified to allow it, in any case). Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping of Death". Now let us summarize DoS Techniques: 1) ICMP floods "Ping of Death" 2) SYN flood. 3) UDP floods Due to the unreliable nature of UDP, it is relatively trivial to send overwhelming streams of UDP packets that can cause noticeable computational load to a system. There is nothing technically extraordinary about UDP flooding beyond the ability to send as many UDP packets as possible in the shortest amount of time. 4) Application layer An attacker finds a resource on a popular Internet site that requires very little computation for the client to request and yet causes a very high computational load on the server to deliver. A good example of this is initiating multiple simultaneous searches across a bulletin board site (for example,
vbulletin, phpbb). Using perhaps as little as a few queries per second, the attacker can now bring the site to its knees. 5) Fragmentation overlap Overlapping TCP/IP packet fragments caused many OSes to suffer crashes and resource starvation issues. Exploit code was released with names such as teardrop, bonk, boink, and nestea. 6) Nukers Windows vulnerability of some years ago that sent out-ofband (OOB) packets (TCP segments with the URG bit set) to a system, causing it to crash. These attacks became very popular on chat and game networks for disabling anyone who crossed you. 7) IP fragmentation When the maximum fragmentation offset is specified by the source (attacker) system, the destination computer or network infrastructure (victim) can be made to perform significant computational work reassembling packets. DDoS Countermeasures In general, there are three lines of defense against DDoS attacks : Attack prevention and preemption (before the attack): These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. Techniques include enforcing policies for resource consumption and providing backup resources available on demand. In addition, prevention mechanisms modify systems and protocols on the Internet to reduce the possibility of DDoS attacks. Attack detection and filtering (during the attack): These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact of the attack on the target. Detection involves looking for suspicious patterns of behavior. Response involves filtering out packets likely to be part of the attack. Attack source traceback and identification (during and after the attack): This is an attempt to identify the source of the attack as a first step in preventing future attacks. However, this method
typically does not yield results fast enough, if at all, to mitigate an ongoing attack. DDoS Countermeasures Techniques: This portion is left for you, Refer to books Read More documents in lab web page. In Your lab Report it is strongly recommends attaching DDoS countermeasures techniques and commenting for this lab. References: 1. Cryptography and Network Security Principles and Practices, Fourth Edition By William Stallings. 2. Hacking Expose Network Security Secrets and Solutions; 6 th edition; by Stuart Mcclure, Joel Scambray, George Kurtz. 3. http://www.securityfocus.com